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Abstract 

Secure group communication in heterogeneous environment is gaining popularity due to the advent of wire- 
less and ubiquitous computing. Although a number of protocols for group key agreement have been proposed, 
most of them are not applicable in heterogeneous environment where a number of computationally limited nodes 
coexist with one or more computationally efficient nodes. Among the few existing protocols, where some fail 
to satisfy the key agreement properties, some are unable to handle the agreement for dynamic group. In this 
work, we propose a constant round group key agreement protocol for heterogeneous environment using polyno- 
mial interpolation. The protocol ensures both communication and computation efficiency by shifting the major 
computation load on powerful users, achieves true contributory key agreement property and dynamic handling of 
user join and leave. The security of the protocol has been analyzed under formal model. The comparison result 
shows considerable improvement in protocol efficiency compared to the existing ones. 

Keywords: Group key agreement, Heterogeneous environment, Hierarchical key agreement, Provable security 



1 INTRODUCTION 

The key establishment problem has been widely studied in the literature. However, due to the changing scenario 
of communication applications, it still continues to be an active area of research. The addition of certain pro- 
tocol properties desired in certain situations and some extra assumptions about the network setup and security 
infrastructure have opened up new challenges for the key establishment problem. Key establishment is generally 
classified into two classes: key transport, where one of the users chooses the key and key agreement, where all the 
users contribute to the computation of the key. 

In recent times, as different group oriented applications proliferate in modern computing environment, the 
design of an efficient key agreement protocol for group has received much attention in the literature. One focus 
area in group key establishment is designing protocols for heterogeneous environment where user nodes with 
different computation capabilities coexist. Typically in a heterogeneous environment, a number of user nodes 
have limited computation capability, whereas one or more users have more computation capability. The example 
of such environment is mobile networks and ubiquitous computing environment. 

On the contrary to a common initial impression, secure group communication is not a simple extension of 
secure two-party communication. Beyond the fulfillment of security requirements, a large number of the existing 
group key agreement protocols suffer from lack of efficiency. Protocol efficiency and scalability in group key 
establishment is of great concern due to the direct relation of the number of participants to computation and 
communication complexity. It can be noted that, one desirable property of GKA in heterogeneous environment is 
to ensure computation and communication efficiency for the low power users. 

In this work, we present a truly contributory group key agreement protocol for heterogeneous environment 
where a number of resource constrained users are connected to one/more powerful users. Unlike the previous 
protocols which are based on Diffie-Hellman scheme, our protocol design uses non-Diffie Hellman technique and 
achieves better computation and communication efficiency. We also present a proof of security of the protocol in 
random oracle model. 
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1.1 Related work 



The original idea of extending the 2-party key establishment to the multi-party setting dates back to the classical 
paper of Ingermarsson et al. [9 1, and is followed by many works lfT4l l7ll2l. However, all these approaches simply 
assume a passive adversary, or only provide an informal/non-standard security analysis for an active adversary. 
Also, in the earlier protocols, the round complexity is linear in the number of group members. 

The first constant round protocol secure against passive adversary was given in [4 |. More recently, based on 
this, Katz and Yung [12] have proposed the first constant-round protocol for authenticated group key agreement 
that has been proven secure against an active adversary. The protocol requires three rounds of communication 
and achieves provable security under the Decisional Diffie-Hellman assumption in the standard model. While 
the protocol is very efficient in general, this full symmetry negatively impacts the protocol performance in a 
heterogeneous scenario. 

In HI Boyd and Nieto have introduced a one-round group key agreement protocol which is provably secure 
in the random oracle model. This protocol is computationally asymmetric. In recent times Bresson et al. have 
proposed a number of group key agreement protocols J6j [3] O and have given the first provable security model 
for security analysis of group key agreement protocol. Bresson and Catalano Q] have presented a provably- 
secure protocol which completes in two rounds of communication. Interestingly, unlike previous approaches, 
they construct the protocol by combining the properties of the ElGamal encryption scheme with standard secret 
sharing techniques. However, this protocol suffers from a significant communication overhead both in terms of the 
number of messages sent and the number of bits communicated throughout the protocol. In J5) another constant 
round protocol was proposed which is suitable for low power mobile devices. Nam et.al has shown an attack on it 
ifTOl . Then in ifTTl . Nam et al. proposed a group key agreement protocol for an imbalanced network that provides 
forward secrecy. In their protocol, the computation time for a mobile node is two modular exponential operations. 
They adopted the Katz and Yung scalable compiler to transform their two-round protocol into an authenticated 
group key agreement protocol with three rounds. However, Tseng 1131 later showed that the protocol is not a 
real group key agreement protocol as the users cannot confirm that their contribution was involved in establishing 
the group key. |[T3l also proposed a group key agreement for resource constrained environment which is secure 
against passive adversary. 



1.2 Our contribution 

The main contribution of this work is to design a contributory group key agreement protocol in heterogeneous 
communication environment. Unlike the previous protocols, the proposed protocol at the same time achieves 
mutual authentication, completes in 2 round and provides very low computation and communication overhead for 
the low-power users. The design goals of a protocol for authentication and key agreement depends on a number 
of assumptions like the user node capabilities, the communication model setup, i.e. how the users are connected 
to each other. 



Network 
Center 




U3 



Figure 1 : System model 

The system model that we consider for this work is shown in figureQ] It consists of a cluster of n mobile hosts 
or users with limited computational power 11 = {Ui,U2, ...,U n }, and a computationally efficient node Uq. The 
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participants communicate with the Uo to establish a common conference key among themselves. The users do not 
communicate among themselves. All the communications are through Uo- 
The contributions of the work can be summarized as follows: 

1 . Asymmetric computation: In a heterogeneous environment, the computational requirement by the low power 
nodes can become one major bottleneck if the amount of computation increases with number of users. In 
our work, we follow an asymmetric computation pattern and fix the amount of computation required by the 
host nodes to a constant value. The major computation burden that increases with the number of users are 
shifted to one/more computationally powerful node. 

2. Verifiability of contribution: In the literature, some protocols 151 [Til have been proposed for server based 
contributory key agreement both for general and hierarchical layout. However, as pointed out in [13], none 
of them assure the user about its participation in key construction and thus user is not able to distinguish 
between a random key or an actual key. We note that, the contributory key agreement is meaningful only 
when the users verify that their contributions are indeed utilized in key construction. In the proposed work, 
users are able to verify the utilization of their contributions. 

3. Efficiency in computation: We reduce the number of expensive operations required to be performed by each 
user. Specifically we remove the computationally expensive exponentiation operations and limit the online 
operations of the users to a single linear function. All other operations are performed offline. 

4. Dynamic join and leave : We consider the users to be completely dynamic i.e. allow the users to leave or 
join the group within a protocol session. 

5. Formal security analysis: Compared to the number of cryptographic protocols proposed in the literature, 
security of very few of them have been proved under a formal model. In this work, apart from informal 
analysis of protocol goals, we provide the security guarantee of the protocols under provable security model. 

2 User- verifiable contributory key agreement 

In this section, we present the proposed group key agreement protocol. 
The following notations are used for the protocol descriptions. 



u 


The set of users {/,-, i £ ( 1 , n) 


Uo 


The leader having higher resources 


IDi 


The unique identity of user £/,■ S U 


Qp 


Cyclic group of order p 


8 


Generator of group g p 




A collision free hash function 


X 


A secure signature scheme 


pruPUi 


Signature key pair for user t/, 


Q 


A counter shared between user I/,- and Uo 



The public parameters Q p and g, defined here, are assumed to be known to all the participants in advance. 
The hash function H and the signature scheme x is also known to all. Each group member in protocol is having 
an unique identity ZD,. The protocol is defined in an asymmetric setting consisting of a powerful node Uo and 
a set of group users (U\,U2, ■ ■ ■ ,U n ). The Uo has a (private,public) key pair (pro,puo) for encryption-decryption 
and signature. Each user Ui also has a set of signing and verifying key pair (pri,pu,) for signature generation and 
verification. Each user Ui,i <E [1 , re], shares a counter C, with Uo- The C, is included for freshness and incremented 
at each communication session. 

2.1 Proposed protocol 

• Step 1 : Preparing user contribution and signature 

Each user t/, with identity IDj chooses its contribution randomly. Let C,- be the current value of counter 
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for user £/,-. The values of (/Di||/Do||*j||Cj) are then encrypted with Uq's public key. Here || denotes the 
concatenation operation. 

e i = {ID i \\ID \\x i \\C i } puo 

Ui also takes a signature sigi of (7D,-| |7Do| |jc/| |Q) using it's private signature key. 

sig i = x pri {ID i \\ID \\x i \\C i ) 

Each user then sends e^sigi to the Uo- 

Ui —> Uo : e h sigi 

All these operations can be performed offline. The advantage of using counter over timestamp is that the 
operations involving the counter can be performed offline. 

• Step 2: Receipt of user message and verification at Uo 

The Uo receives all the messages and decrypts them. It then verifies all the signatures of the corresponding 
users. It also checks the validity of the counter C, and accepts if the signatures are valid. 

• Step 3: Computation of secret by Uo 

The pair of identity and random value (ZD,-, Xj) received from each user is taken as it's contribution to 
construct the key. Uo also selects a random number xq 6 g p as its contribution. The secret is constructed by 
interpolating all the contributions into a polynomial. The n + 1 values of (IDi,Xi) are taken as (n + 1) input 
points to the interpolation algorithm. As, all the identities of the users are distinct, a distinct polynomial 
will be obtained from the fresh input. Let the coefficients of the resulting polynomial be ao, a\ , . . . , a n . Thus 
the polynomial is as follows: 

A(x) = ao + a\x + a 2 x 2 + . . . + a n x" 
The secret value is constructed as K = (ao\ \a\ \ \ . . . \a n ). 

• Step 4: Computation of reply message from Uo 

For each user t/,, Uo computes a one way hash M (IDi,IDo,Xi,Ci) over the identity ZD,-, IDq, counter C, 
and contribution Xj. Then the secret value K is bitwise XORed with this hash value to obtain a value P; as 
follows: 

P i = K®^(ID i \\IDo\\C i \\x i ) 
If length of K is more than the hash output, it can be sent in multiple fragments. 

Let Y = {Pi\i = l...n}, Uo takes a signature sigo of the values (IDo,Y,U) using its private signature key. 

sigo=l prQ (IDo,Y,U) 

The Uo finally creates a broadcast message M = {Y,U, sigo} and broadcasts M to all the users. 

• Step 5:Secret key computation & Verification at users end 

Each user t/, will receive the f/o's messages and verify the signature of Uo- Then the user obtains the value 
of H (IDj,IDo,Xi,Ci). This value can be calculated by the user offline. The shared secret will be calculated 
by the user as follows: 

P t ®!H(ID u IDo,xi,Ci) 

= K@X (lD u lD ,x u Ci) ® (ID h IDo,Xi,Q) 
= K 



If K is sent fragmented, the user has to obtain all the fragments in a similar manner and combine them to 
get the secret. 

The users can now verify whether the secret is constructed using their contributions. If the contribution x, of 
user Ui is used, then the relation A (ZD,) = x, should be true. The verification is done in the following way: 
After receiving the coefficients user Ui will compute the following 

ao + a\IDi + a 2 IDj + ... + a„ID? 

If this value is equal to x„ the user knows his/her contribution was used in key construction. According to 
Horner's rule, this computation can be written as 

a Q + ailDi + a 2 IDj + ... + aJD^ 
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User 1 



x\ &Z q 



sigi =x(IDi,ID ,Xi,Ci 



User 2 

sig 2 =l(...) 



K = Pi®M(ID 1 ,ID ,x 1 ,C 1 ) 
Verifyxi = ciq + a\ID\ + ... 
Key — F(K,U) 



1r 



{IDi,IDo,xx,Ci} pUs ,sigi 



M=(Y,sig ,U 



K= ... 

Verifyx2 — 
Key = (...) 



, {ID 2 ,..} pUs ,sig2 



Usern 

X n G Zq 

Sig n = <•••) 



K= ... 

Verifyx n = 
Key =(,..) 



{ID n ,..} pUs ,sig n 



Network Center (NC) 

A(x) = a Q + aix + a 2 x 2 + . .a„x n K = a Q \\ai\\ . . . \\a„ 

Pi=K®X(xi,...) P 2 =K®rt( Xi ) P n = K®y{( Xi ,..7) 

y=Pl||P2||...||Pn sigy=XprJJIhJV) 

Figure 2: Proposed Conference Key Agreement Protocol 



=a +7A(ai +ID,{a 2 +ID i (. . . ))) 
This way, the verification requires only n multiplications. 

Finally, the shared secret key for conference is computed by all the users as Key = J (K,U), where J is a 
predefined one-way function. 

Figure ^demonstrates one instance of the Key Agreement scheme of proposed protocol. 

2.2 Dynamic handling of user join and leave 

When a conference session is in progress, users may be allowed to join or leave. In some applications it may not 
be desirable that a new joining user understands the content of previous conversations. Similarly, it is also not 
desirable that a leaving user continues to understand the ongoing conversation. Thus, ensuring the security of the 
conference while allowing dynamic join and leave is essential. In the proposed protocol, the security of the secret 
key while maintaining dynamic join/leave is maintained in the following way. 

User Join 

When a new user U„ ew joins, it the sends its share (ID new ,x new ) to Uq. The set of users is updated as Zl — 11 UID new . 
Uo also refreshes its contribution to (IDq,x' q ) using a new random value x' G Q p . Then the shared secret is 
computed and distributed as described in steps 3 to 5 in key .agreement. 

User Leave 

When an existing user U id leaves, Uq discards its share (ID i c i,x [ c /). The set of users is updated as U = U niD i c i. 
Uq also refreshes its contribution to (IDq,x' q ) using a new value x' Q . Then the shared secret is computed and 
distributed as described in steps 3 to 5 in key .agreement. 

It can be noted that, as one group member joins or leaves, it's corresponding contribution point is added/discarded. 
The C/o's contribution also changes. So, whenever there is a change in membership, atleast two points of the secure 
polynomial change and its value is refreshed. Now, from the property of polynomial interpolation, it is known 
that, if 1 out of (n + 1 ) points on a n degree polynomial is changed, the polynomial changes in an unpredictable 
way. This is information theoretically true. Thus, secrecy of the previous (new) key from new (former) group 
members is maintained. 



2.3 Security Analysis 

The proposed protocol has the security properties of key freshness, key confidentiality and mutual authentication. 
Also true contributiveness of the key is achieved as no participant can predetermine the key or influence the key. 
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An informal analysis shows that it is resistant to common attacks such as replay, impersonation, unknown key 
share and collusion. 

The prime motivation of the proposed protocol is to reduce the computational overhead from the users. Thus, 
we have deliberately not considered the perfect forward secrecy. However this property can be easily achieved by 
associating a Diffie-Hellman key exchange. 

The advantage of taking identities /D, as x coordinate values of polynomial interpolation is that they are 
unique. However, if the identities of users are known to each other, an user may be able to obtain the contributions 
of other users. Although this knowledge does not help a new/former user to deduce the old/new key, it may not be 
desirable in some applications. In that case, instead of using ID[ directly as the x coordinate value, the H{IDi,xi) 
value can be used. As the one way hash is assumed to be collision free, this method will still produce unique 
values for x coordinates. Alternatively, the counter values C, known between user and Uq can also be used for x 
coordinates. 

We now present the security analysis of the protocol in formal model. 
The security model 

The first formal model for security analysis of group key agreement protocols was given by Bressonef al 0. We 
also use a similar game based security model widely used in literature. 

The protocol participants are a set U — (Uq,Ui, ...,U n ) of all users that can participate in the key agreement 
protocol. Each user can simultaneously participate in different protocols sessions. Thus an instance of user t/ ( - in 
protocol session s is represented by the oracle ITj. Each user £/, G U obtains a private-public key pair (prt,pui) 
for signature generation/verification. 

The partner ID of an user £/, in session s is the set of all users who compute the same key as the user £/, in that 
session. The partner ID is defined using session ID. The session ID is defined in terms of the messages exchanged 
among the users in a session. The detail definition of session identity is given in the [5 1. 
The adversary 

The adversary A is active and assumed to have control over all communication flows in the network. The adversary 
communicates with the users through a number of queries, each of which represent a capability of the adversary. 
The queries are as follows. 

• Send(Ui,s,m): Models the ability of A to send message m to user U(, The adversary gets back from his 
query, the response that the user t/, would have generated on processing the message m. If the message 
m is not in expected format, the oracle would halt. If the oracle accepts, rejects or simply halts, the reply 
will indicate that. If the message m = NULL, a new session would be initiated. An oracle is said to have 
accepted, if it has obtained/computed a session key and accepted it. 

• Reveal(Ui): If an oracle 11? accepts and holds a session key 2£, then the adversary A can use the reveal 
query to obtain the session key held by the oracle. 

• Corrupt (Ui): When the adversary sends a corrupt query to an user Ui, the internal state information, that the 
user holds is revealed. Also, the long term secret key of user i/, is replaced by a value K of the adversary's 
choice. 

• Test(Ui): Once an oracle ITf has accepted a session key Ku, the adversary can ask a single Test query. In 
reply to this query, a random bit b is chosen. If b = the session key is returned, otherwise a random string 
is returned from the same distribution as the session keys. The advantage of the adversary to distinguish the 
session key from the random key is taken as the basis of determining security of the protocol. 

Security definitions 

Now we define the security assumptions for the proposed key agreement protocol within the security model given 
above. The detailed definitions can be found in lf5l ITT1 m . 

• Freshness 

Freshness captures the intuitive fact that a session key is not obviously known to the adversary. A session 
key is fresh if it has been accepted by an uncorrupted oracle and the oracle or any of its partners are not 
subjected to the reveal or corrupt query. 

• Authenticated group key agreement 

The security of an authenticated group key agreement protocol rP is defined by a game G(A , <E ) between the 
computationally bound adversary A and protocol rP . The adversary A executes the protocol <E and executes 
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Table 1 : Comparison with existing protocols 
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all the queries described in the security model, as many times as she wishes. JA wins the game, if at any 
time it asks a single Test query to a fresh user and gets back a /-bit string as the response to the query. At a 
later point of time it outputs a bit b' as a guess for the hidden bit b. Let GG (Good Guess) be the event that 
b = b' , i.e. the adversary J? , correctly guesses the bit b. Then we define the advantage of J? in attacking £P, 
as 

Adv p A {k) = 2.Pr[GG] - 1 

We say that a group key agreement scheme 2> is secure if Adv^(k) is negligible for any probabilistic poly- 
nomial time adversary A . 

• Secure Signature Scheme 

The security notion for a signature scheme is that it is computationally infeasible for an adversary to produce 
a valid forgery o with respect to any message m under (adaptive) chosen message attack (CMA). A signature 
scheme z(g ,S, V) is (t,q,e) secure if there is no adversary whose probability in mounting an existential 
forgery under CMA within time t after making q queries is greater than e(negligible). The probability is 
denoted as Succ x (tt). 

• Secure encryption scheme 

A public-key encryption scheme PE = (K;E;D) consists of three algorithms: A key generation algorithm 
K giving a pair (e;d) of matching public and private keys, an encryption algorithm E, and a decryption 
algorithm D. 

The encryption scheme PE is secure if the adversary's advantage is negligible. We denote the probability 

as Succ enc (ft). 

Thus, we have defined the security model for the protocol definition. In the next section, we proceed to 
describe the detail of the proposed protocol. 

Proof 

We now analyze the security of the protocol as the probability that an adversary can some information on the key 
and gain some advantage against the authenticated key agreement (AKE) security. Let denote the probability as 
Adv c p e . Let A be the adversary against the AKE security of the protocol making at most q s send quires and qh 
hash queries (to hash oracles H and F). Let Si plays the game Go against the protocol. 
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We now incrementally define a series of games such that each subsequent game has some additional properties. 
Let b is the bit involved in the Test query and b' be the guess output by the adversary. Then, W/n, denote the event 
in game G, when b — b' . In each game, we simulate the protocol and consider the adversary to attack the protocol. 
Finally we relate all of them to obtain the probability of Wino- 

Let all the queries are answered by a simulator X. It maintains two tables. In the table S, it maintains the 
transcript of all sessions initiated by it. Also, a list Lh is maintained to answer the queries to the hash oracles, n is 
the number of users. 

Game Go: This is the real attack. The X generates a pair of signing/verification key and the Uo is given a pair of 
public-private key. It answers all queries of the adversary in accordance of the protocol. 

Game Gi : Let Forge be an event that A asks for a send query to the Uo such that the verification of the signature 
is correct and m' was not previously output by a client as an answer to another send query. It means that A is 
sending a message that it has produced itself. Such an event can be detected by X as it maintains a table of all 
protocol transcripts generated by itself. In this case, X aborts the game and outputs b' randomly. 

The event Forge occurs when i? was successful to make an existential forgery against the signature scheme 
for one of the participants. The probability of this event is thus n * Succ x (j4.), where Succ x (a.) is the success 
probability of signature forgery against the signature scheme T, given some public key PK. 

The game is identical to Go except when Forge occurs. Thus, 

Pr(Wini ) - Pr(WinO) <n* Succ x (A ) 
Game G2: Let Erie be the event when the adversary makes a hash oracle query involving some ) and the 

same hash query was asked by the a protocol participant (user or Uo)- This can be checked from the list of hash 
that is maintained. If such an event occurs it means, adversary has been able to attack the encryption scheme. 

The probability of success against the encryption scheme after making q s queries is q s *Succ enc (A). The game 
is identical to G\ except when enc occurs. Thus the total winning probability of the game 

Pr(Win 2 ) - Pr(Win\) < q s * Succ enc (A ) 

Combining all the results, we obtain 

Pr(Wino) <N* Succ x (A ) + q s * Succ enc {A ) 

Thus, according to our security assumptions, the probability of the polynomially bound adversary to win the 
game is negligible. 

2.4 Performance analysis 

In this subsection we present a performance comparison of the proposed protocol with the existing ones. 

The performance of an authenticated group key agreement protocol is examined based on both its computation 
and communication requirements. The computation requirement is assessed by the number of major operations 
performed. The communication requirement is measured by counting the number of rounds, messages and bits to 
be communicated. 

Communication requirement In figure [3] we perform a comparison of the communication requirement of the 
proposed protocol with ifTTIl . The comparison is based on the number of bits required to be transmitted by powerful 
user Uo versus the number of users. The signatures and hash values are assumed to be 256 bit whereas the cyclic 
group of public key system is taken 1024 bit. It can be noted that the proposed protocol requires much lesser 
number of bits to be transmitted from the powerful node to the users and the difference grows with increasing 
number of users. The difference in the proposed protocol is achieved by using non-Diffie-Hellman based key 
computation technique. 
Computation requirement 

Table Q] shows a comparison of the proposed work with respect to existing similar works. Here first two 
columns show the computation requirements of user and Uo respectively. Next two columns show the number of 
rounds and messages required to complete the protocol transactions. The next column (dynamic) denotes whether 
the protocol is dynamic or not, Auth denotes whether authentication is provided and Verif denotes user verifiability 
and PS denotes provably secure. 

The table shows that the proposed protocol, in-spite of offering the verifiability and mutual authentication 
property, is comparable to the existing works. Apart from [ Q, the rest of the protocols also use 2 exponentiations. 
The H), despite being computation efficient uses n broadcasts which is expensive. In the proposed protocol, most 
of the computations performed by the users, i.e. encryption, hash computation and signature can be computed 
offline. Thus only a bit-wise xor is the main operation to be performed online. Moreover, the offline computations 
are also less expensive as the user performs a hash computation and one public key encryption which is not 
expensive as a public key (3 — 16 bit) is short. 
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3 Conclusion 



In this work we have provided an efficient and scalable solution for true-contributory group key agreement in 
an heterogeneous environment, which consists of both nodes with limited and relatively higher computational 
resources. The protocol transfers most of the computation and communication load to the powerful node, whereas 
the only online computation performed by a low power user is a single XOR computation. 
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